CVE-ID

CVE-1999-1172

• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is being shared.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
20010831 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Proposed (20010912)
Votes (Legacy)
MODIFY(1) Frech
NOOP(3) Cole, Foat, Wall
REVIEWING(1) Christey
Comments (Legacy)
 Christey> The discloser does not provide enough details to fully
   understand what the problem is.  This makes it difficult
   because if Maximizer has a concept of "users" and it is
   designed to allow any user to modify any other user's data,
   then this would not be a vulnerability or exposure, unless
   that "cross-user" capability could be used to violate system
   integrity, data confidentiality, or the like.  There are some
   features of Maximizer 6.0 that, if abused, could allow someone
   to do some bad things.  For example, an attacker could modify
   the email addresses for contacts to redirect sales to
   locations besides the customer.  There's also a capability of
   assigning priorities and alarms, which could be susceptible to
   an "inconvenience attack" at the very least, as well as
   tie-ins to e-commerce capabilities.
   
   The critical question becomes: "how is this data shared" in
   the first place?  If it's through a network share or other
   distribution method besides transferring the complete database
   between sites, then this may be accessible to any attacker who
   can mimic a Maximizer client (if there is such a thing as a
   client), and this could be a vulnerability or exposure
   according to the CVE definition.
   
   However, since the Maximizer functionality is unknown to me
   and not readily apparent from product documentation, it's hard
   to know what to do about this one.
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:maximizer-enterprise-calendar-modification(7590)

Proposed (Legacy)
20010912
This is an entry on the CVE list, which standardizes names for security problems.